From 2fbf4806eda37a7b8eed6ac66ef9c9fb50082a6e Mon Sep 17 00:00:00 2001
From: Chad Swenson <chadswen@gmail.com>
Date: Thu, 19 Dec 2024 11:12:09 -0600
Subject: [PATCH] Add ResourceQuota plugin configuration (#11814)

This enables [configuration](https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default) of the [ResourceQuota AdmissionController plugin](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#resourcequota). The configuration file will be empty by default when no limitedResources are set.
---
 roles/kubernetes/control-plane/defaults/main/main.yml | 11 +++++++++++
 .../control-plane/templates/resourcequota.yaml.j2     |  8 ++++++++
 roles/kubernetes/control-plane/vars/main.yaml         |  1 +
 3 files changed, 20 insertions(+)
 create mode 100644 roles/kubernetes/control-plane/templates/resourcequota.yaml.j2

diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 00da94347..dbc0f2396 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -107,6 +107,7 @@ kube_apiserver_admission_control_config_file: false
 #   cache_size: <cache_size_value>
 kube_apiserver_admission_event_rate_limits: {}
 
+## PodSecurityAdmission plugin configuration
 kube_pod_security_use_default: false
 kube_pod_security_default_enforce: baseline
 kube_pod_security_default_enforce_version: "{{ kube_major_version }}"
@@ -119,6 +120,16 @@ kube_pod_security_exemptions_runtime_class_names: []
 kube_pod_security_exemptions_namespaces:
   - kube-system
 
+## ResourceQuota plugin configuration
+## Resources that ResourceQuota should limit by default if no quota exists
+## Example below enforces quota on all storage classes
+# kube_resource_quota_limited_resources:
+# - apiGroup: ""
+#   resource: persistentvolumeclaims
+#   matchContains:
+#   - .storageclass.storage.k8s.io/requests.storage
+kube_resource_quota_limited_resources: []
+
 # 1.10+ list of disabled admission plugins
 kube_apiserver_disable_admission_plugins: []
 
diff --git a/roles/kubernetes/control-plane/templates/resourcequota.yaml.j2 b/roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
new file mode 100644
index 000000000..ceec2511f
--- /dev/null
+++ b/roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
@@ -0,0 +1,8 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: ResourceQuotaConfiguration
+{% if kube_resource_quota_limited_resources | d(false) -%}
+limitedResources:
+{{ kube_resource_quota_limited_resources | to_nice_yaml(indent=2, sort_keys=false) }}
+{% else %}
+# No limitedResources configured. If limitedResources are required, please set kube_resource_quota_limited_resources.
+{%- endif %}
diff --git a/roles/kubernetes/control-plane/vars/main.yaml b/roles/kubernetes/control-plane/vars/main.yaml
index 3775d253a..263ee0b45 100644
--- a/roles/kubernetes/control-plane/vars/main.yaml
+++ b/roles/kubernetes/control-plane/vars/main.yaml
@@ -6,3 +6,4 @@ kube_apiserver_admission_plugins_needs_configuration:
 - ImagePolicyWebhook
 - PodSecurity
 - PodNodeSelector
+- ResourceQuota